EP0598739B1 - Network monitoring method and apparatus - Google Patents

Network monitoring method and apparatus Download PDF

Info

Publication number
EP0598739B1
EP0598739B1 EP92913152A EP92913152A EP0598739B1 EP 0598739 B1 EP0598739 B1 EP 0598739B1 EP 92913152 A EP92913152 A EP 92913152A EP 92913152 A EP92913152 A EP 92913152A EP 0598739 B1 EP0598739 B1 EP 0598739B1
Authority
EP
European Patent Office
Prior art keywords
connection
call
record
protocol data
active group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
EP92913152A
Other languages
German (de)
French (fr)
Other versions
EP0598739A1 (en
Inventor
James Robertson Galloway
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HP Inc
Original Assignee
Hewlett Packard Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Co filed Critical Hewlett Packard Co
Publication of EP0598739A1 publication Critical patent/EP0598739A1/en
Application granted granted Critical
Publication of EP0598739B1 publication Critical patent/EP0598739B1/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • H04L43/106Active monitoring, e.g. heartbeat, ping or trace-route using time related information in packets, e.g. by adding timestamps

Definitions

  • the present invention relates to a method and apparatus for monitoring communication connections established over a network and in particular, but not exclusively, to the generation of call records for connections conducted in accordance with the TCP/IP protocols.
  • Entities communicating with each other over a data communications network generally do so by the exchange of data packets in accordance with a predetermined protocol.
  • the communication service provided between the entities will generally be either connectionless or connection-oriented.
  • a connectionless service is one in which each packet is handled in isolation from any other packet, the service having no appreciation of whether or not the packet is one of a number of packets that together form a complete message.
  • connection-oriented service will establish a virtual circuit between entities that wish to communicate, in order to provide a reliable stream transport service for the packets passed between the entities, the virtual circuit being closed when the entities have finished communicating with each other; such a communication path established between entities over a virtual circuit is generally referred to as a connection whilst the communication transaction carried out from the setting up to the taking down of a connection is often referred to as a call.
  • European patent application no. 0 478 175 describes a protocol analyzer which monitors a selected communication connection that is being conducted in accordance with a predetermined protocol by the exchange of protocol data units between two entities over a data network. To this end, the analyzer identifies protocol data units relevant to the selected connection, and follows the progress of the selected connection as it receives the relevant protocol data units, to indicate when the sequence of protocol data units diverges from the predetermined protocol.
  • each call record will normally record aggregated quantitative information (for example, number of data bytes transferred) for the protocol data units relevant to each direction of data flow between the pair of entities involved in the connection to which the record relates.
  • the aforesaid associated connection information of each protocol data unit may, for example, comprise the network addresses of each of the entities of the pair of entities associated with the connection to which the protocol data unit relates; in this case, the method preferably includes the step of identifying the connection to which each protocol data unit relates by forming a connection identifier from the network addresses contained in the associated connection information in a manner such that the connection identifier has a form that is independent of the direction of passage of the protocol data unit between the entities, the connection identifier being used in said maintaining step to identify the corresponding call record.
  • each call record in the active group is preferably provided with a respective activity indicator which is set when the record is created and when the record is updated.
  • the removal of call records from the active group is then effected by checking the call records of the active group at intervals and each time removing those records whose activity indicators are in a reset state and resetting the activity indicators of the remaining call records.
  • the method preferably includes the steps of identifying these control codes and storing them as part of the associated call record; this then enables call fragments erroneously identified as separate calls, to be subsequently pieced together by scanning the call records of the completed-call group for records relating to connections between the same pair of entities, and determining from the control codes stored in such records whether the records fit together as partial records of the same connection.
  • each call record includes a start-of-call information item set upon creation of that record to indicate a start time of the corresponding connection, and an end-of-call information item which is updated for each protocol data unit subsequently identified as relevant to that record to indicate a potential end time of the corresponding connection.
  • the step of monitoring the network advantageously involves associating a respective time stamp with each said protocol data unit that is identified in that step; the start-of-call information item of each call record is then set to the time stamp of the protocol data unit causing the call record to be created, and the end-of-call information item of the same record is set in turn to the time stamp of each successive protocol data unit identified as relevant to the connection concerned.
  • each call record may include the identity of the entity initiating the corresponding connection, the control codes associated with the protocol data unit causing a new call record to be added to the active group serving to indicate which of the two communicating entities involved with a connection initiated the connection.
  • the method and apparatus of the invention are particularly suited to call record generation where communication is effected using the TCP/IP protocol suite.
  • FIG. 1 of the accompanying drawings shows conceptual protocol stacks 1 and 2 operated by two end systems in communicating with each other over a network (12).
  • Each protocol stack 1,2 is made up of a number of different layers each of which performs a particular task in the communication process.
  • layer N in each protocol stack 1,2 this layer N provides services to the layer above (layer N+1) and in doing so utilizes services provided by the layer below (layer N-1).
  • a protocol entity 3,4 controls the carrying out of the communication tasks assigned to that layer, this control being effected in coordination with the corresponding protocol entity of the communicating end system.
  • the protocol entities 3,4 in the same protocol layer of the communicating end systems communicate and coordinate with each other in accordance with a peer protocol (for layer N this is the layer N protocol shown in Figure 1).
  • the peer protocol defines the form and sequencing of messages passed between the peer protocol entities 3,4 in the form of protocol data units 5,6.
  • Each protocol data unit (PDU) 5,6 contains protocol control information PCI and one or more service data units SDU, the latter being data which the layer N protocol entity is handling on behalf of the layer N+1 above.
  • protocol data units 34 Whilst conceptually the peer protocol entities 3,4 are communicating with each other by passing protocol data units directly between themselves, in practice, of course, the protocol data units must pass down one protocol stack, across the network 12 and up the other protocol stack to the relevant layer N.
  • a protocol data unit passed by the protocol entity of layer N down to layer N-1 is treated by that latter layer as a service data unit SDU and handled appropriately.
  • Such conceptual layering of communication protocol stacks is well known in the art - see, for example, the seven-layer OSI (Open Systems Interconnect) model defined by the International Standards Organization (International Standard ISO7498). It will be appreciated that in practice the protocol stacks are implemented primarily in software, although the lower levels may well be effected using dedicated hardware.
  • OSI Open Systems Interconnect
  • Each peer protocol may be connectionless or connection-oriented in form. If a peer protocol N is connectionless, the associated protocol entities 3, 4 handle each service data unit SDU passed down to them from layer N+1 as an isolated item; in contrast, if a peer protocol N is connection-oriented, the associated protocol entities 3,4 provide a reliable stream transport service for service data units SDUs passed down from the layer N+1. Generally, most of the peer protocols will be connectionless with one or two key peer protocols being connection-oriented.
  • a protocol entity in layer N may be required to provide a service to a number of different protocol entities in the layer N+1 above. This generally requires that an entity in layer N+1 of a first end system, when sending a protocol data unit PDU to its peer entity in a second end system, provides adequate identification of the destination peer entity to the layer N service - providing entity of the first end system, so that the peer entity in layer N of the second end system can forward the PDU to the appropriate entity in layer N+1.
  • a protocol entity in, for example, layer N+1 of one end system may also be required to communicate with peer entities in a number of other end systems.
  • the layer N protocol is connection-oriented, then, of course, it is inadequate for the layer N protocol entity to keep track of its current connections simply by reference to the identity of the destination layer N+1 entity. Instead, connections are frequently identified by reference to the combination of source and destination entity identities.
  • the present invention relates to communications between entities, for example in layer N+1, by the transfer of protocol data units using the services of the layer-N protocol entities, where the layer N peer protocol is connection-oriented.
  • the well known transmission control protocol TCP is used as an example of a connection-oriented protocol, this protocol being used in conjunction with the Internet Protocol IP.
  • TCP-layer entities use pairings of endpoints to identify a connection, where an endpoint is the combination of a parameter (IP address) identifying the end system concerned (or, more accurately, an interface of the end system to the network), and a parameter (TCP port number) indicating the source/destination endpoint entity within the end system with which the TCP protocol entity is to communicate.
  • IP address identifying the end system concerned
  • TCP port number indicating the source/destination endpoint entity within the end system with which the TCP protocol entity is to communicate.
  • FIG. 2 illustrates how a protocol data unit (PDU) 20 is prepared for transmission over a network from an endpoint entity A in one end system to a peer endpoint entity B (not shown) in another end system in accordance with the TCP/IP protocols, it being assumed that an appropriate TCP connection has already been established.
  • the PDU 20 is passed down through three protocol layers (TCP layer 22, IP layer 23, and network interface layer 24) before being sent across the network to the receiving end system.
  • TCP layer 22, IP layer 23, and network interface layer 24 protocol layers
  • an encapsulation process takes place as will be described more fully below; although not illustrated in Figure 2 for reasons of simplicity, a fragmentation process may also occur in one or more layers with the data received by the layer being split up into several units before being passed to the next layer.
  • the basic protocol data unit of the TCP layer protocol is the TCP segment 25 which comprises a TCP header 26 and a TCP data area 27.
  • the TCP header 26 contains a number of information fields of which only those relevant to the present invention are illustrated, these being a source port field 28 holding the TCP port number of the endpoint entity A, a destination port field 29 holding the TCP port number of the destination endpoint entity B to which the PDU 20 is being sent, a sequence number field 30 containing a sequence number for the current TCP segment 25 in relation to other such segments for the same connection, an acknowledgement number field 31 for containing the sequence number of the segment next expected from the peer TCP layer 22 in relation to a current connection, and a code field 32 containing various control codes.
  • Each TCP segment 25 is passed down to the IP layer 23 as a service data unit of that layer.
  • the basic protocol data unit of the IP layer 23 is the IP datagram 35 comprising an IP header 36 and an IP data area 37.
  • the IP data area 37 is occupied by the service data unit received from the TCP layer 22, that is by the TCP segment 25.
  • the fields of the IP header relevant to the present invention are a source IP address field 38 indicating the IP address of the sending end system, and a destination IP address field 39 containing the IP address of the receiving end system.
  • the source and destination IP addresses are made available to the TCP layer 22 to enable the latter to identify connections based on the pairings of IP address and TCP port number for the source and destination endpoint entities.
  • the network interface layer 24 serves to match the characteristics of the underlying physical transmission network to the higher-level layers.
  • the network interface layer 24 is arranged to receive IP datagrams 35 as service data units.
  • the basic protocol data unit of the network interface layer 24 is a frame 45 which comprises a frame header 46 and a frame data area 47.
  • the frame data area is occupied by the service data unit received from the IP layer 23, that is by the IP datagram 35.
  • each frame 45 appearing on the physical network contains the IP address and TCP port number of the source and destination endpoint entities using the services of the TCP layer 22 to communicate with each other, these parameters being sufficient to uniquely identify the TCP connection involved.
  • each IP datagram may be fragmented across several frames; however, generally the frame carrying the first fragment of an IP datagram will be of sufficient size that this fragment includes not only the datagram header, but also the TCP header of the TCP segment encapsulated in the datagram; this is assumed to be the case for the purposes of the following description.
  • the TCP layer 22 provides a connection-oriented communication service to the layer above, that is to the endpoint entity A of Figure 2.
  • the overall progression of a communication between endpoint entities A and B is therefore as follows.
  • the endpoint entity A requesting the services of the TCP layer 22, the latter establishes a connection with the peer TCP layer in the end system containing the endpoint entity B.
  • PDUs 20 are passed between the endpoint entity A and its peer entity B until both these entities have finished communicating. Thereafter, the TCP layer closes the connection.
  • Figure 3 illustrates the handshakes involved in establishing and closing down a TCP connection.
  • TCP peer entities in end systems 1 and 2 are considered.
  • the top half of Figure 3 shows the handshakes involved in opening a TCP connection.
  • the TCP layer entity in end system 1 initiates opening of the connection by sending a segment 25 to its peer entity in end system 2 with a SYN bit set in the code bits field 32 of the TCP header 26 (arrow 50).
  • the TCP entity in end system 2 responds with the segment in which SYN and ACK bits are set (arrow 51).
  • Successful receipt of this reply by the TCP entity in end system 1 results in a concluding handshake segment being sent from end system 1 to end system 2 in which the ACK bit in the code bits field 32 is set (arrow 52); this serves to inform the end system 2 that both sides have agreed that a connection has been established.
  • sequence numbers are sent and acknowledged to enable subsequent tracking of segments exchanged during reconnection. These sequence numbers and acknowledgement numbers are contained in fields 30 and 31 of the TCP header 26.
  • FIG. 3 illustrates the handshakes involved in closing down a TCP connection. Closing a connection takes place in two stages with the connection first being closed in one direction when the sending TCP entity for that direction has no further data to communicate, and then subsequently in the other direction when the other TCP entity has finished sending data.
  • the TCP layer entity in end system 1 first wishes to close the connection and to do this it sends a segment 25 in which a FIN bit is set in the code bits field 32 of the TCP header 26 (arrow 53). The receipt of this segment is in due course acknowledged by the TCP entity in end system 2 by the return of a segment with the ACK bit set (arrow 54).
  • the TCP entity in end system 2 then continues to send segments carrying data until no more data remains to be communicated. At that time, the TCP entity in end system 2 sends a segment with the FIN and ACK bits set in the code bits field (arrow 55). Successful receipt of this segment by the TCP entity in end system 1 is acknowledged by a final segment 25 being sent with its ACK bit set (arrow 56).
  • FIG 4 illustrates the call record generator 61 embodying the present invention, the call record generator 61 being connected to monitor a network 60 in order to provide a record of each TCP connection (or call) temporarily established over the network.
  • the call record generator 61 comprises a network interface unit 62 connected to the network 60 and a processing sub-system 63 including a processor 65 and memory 64.
  • the memory 64 will generally comprise working RAM memory, ROM memory for program storage, and disk memory (these elements are not individually shown in Figure 4 for reasons of clarity).
  • the network interface unit 62 captures each frame 45 appearing on the network and passes it to the processor sub-system 63 for processing.
  • the processing sub-system 63 utilizes four main data structures 66-69 and executes four main processes 70-73.
  • the process 70 is initiated (for example as an interrupt service routine) to extract datagram information from the frame and store the datagram, together with a time stamp, in a buffer constituted by the data structure 66.
  • the stored datagram information will generally only comprise the information of interest, namely the IP header and the header of the encapsulated TCP segment; furthermore, if the datagram has been subject to fragmentation, then only the first fragment, containing the IP header and the header of the encapsulated TCP segment, is processed, all other fragments being discarded.
  • the process 71 which runs in background continuously monitors the buffer 66 for new entries and whenever one or more entries are present, extracts the head entry for processing. As will be more fully described hereinafter, this processing involves identifying the connection to which the head entry datagram belongs and then updating a corresponding call record for that connection, the call records for active connections being held in a control block table constituted by the data structure 67. If a datagram corresponds to a connection for which no call record exists in the control block table 67, then a new record is created by the process 71. The process 71 also keeps a separate linked list of active call records, this list constituting the data structure 68. Each call record contains statistics on the corresponding TCP connection as will be more fully described hereinafter with reference to Figure 5.
  • a completion scan process 72 is run which scans the call records in the control block table 67 and removes any records which have been inactive for a given minimum period (by "inactive " is here meant that the record has not been updated in response to receipt of a further datagram associated with the connection concerned).
  • the process 72 uses the linked list 68 of call records to carry out the scanning of the call records. Any call records identified as inactive by the process 72 are removed to a completed call record archive constituted by the data structure 69 (this archive is, for example, kept in disk storage or held off-line rather than being stored in RAM).
  • a call-record fragment assembly process 73 which is an offline process, is used to examine the call records contained in the archive 69 for records which in fact constitutes call record fragments relating to the same connection, as will be explained more fully below.
  • this unique connection identifier is formed by the tuple of (IP address, TC port) of each endpoint entity with the numerically greater address plus port number always being placed first.
  • the resulting connection identifier would be ((16.8.9.123,111),(15.8.61.123,123)).
  • connection identifier will be: ( [aIP1.aIP2.aIP3.aIP4], [aPort1.aPort2]) ( [bIP1.bIP2.bIP3.bIP4], [bPort1.bPort2] ) where (aIP.aPort > bIP.bPort)
  • connection identifier is, as already noted above, generated by the process 71.
  • the connection identifier is not used directly to access the corresponding call record in the control block table 67 as, instead a hash key is created from the connection identifier and used to hash into the control block table 67.
  • the hash key used is: (aIP4, bPort2, aPort2, bIP4)
  • each call record includes a first group of fields containing the connection identifier for the connection to which the call record relates, a start time field corresponding to the time stamp associated by the process 70 with the IP datagram giving rise to the generation of the call record, an end time field corresponding to the time stamp associated with the most recently received datagram used to update the call record 75, a call origin field containing an indication of which endpoint entity initiated the connection, and an activity flag field used in the determination of whether or not the record is still active.
  • each call record 75 includes two groups of fields 77,78 relating to the statistics of the call in each of the two directions.
  • the call record 75 includes fields containing the physical address of A (this information is extracted from each frame received by the call record generator and stored along with the datagram information by the process 70), the IP address and TCP port number of endpoint entity A, the total number of TCP bytes sent to endpoint A, the total number of TCP segments sent to endpoint A, the total number of IP bytes sent to endpoint A, a cumulative set of all TCP flags sent to A, the first sequence number sent to A and the last sequence number sent to A. Corresponding fields are present in the record 75 for the endpoint entity B.
  • the reason sequence numbers are collected is to validate the total number of TC bytes sent in a particular direction. For any given direction, the second sequence number minus the first sequence number will give an approximate indication of the total number of TCP bytes sent in that direction; this indication is only approximate because there are cases, namely ACK segments, where no TCP data is present but the sequence number is incremented by 1.
  • the set of all TCP flags seen is collected to facilitate call record fragment reassembly carried out by process 73.
  • the process 71 continually checks the buffer 66 (step 81) until it detects that a datagram with its associated time stamp has been entered into the buffer. Thereupon the process 71 retrieves the head entry from the buffer 66 (step 82) and constructs the connection identifier for the head entry datagram (step 83). The process 71 also constructs the corresponding hash key for the connection (step 84) and then attempts to access the control block table 67 using this hash key (step 85).
  • An open hashing technique is used, that is, collision resolution is achieved by maintaining separate overflow areas for each entry in the hash table 67.
  • step 86 If no entry is found at the location indicated by the hash key, then it is assumed that the datagram being processed relates to a new connection (step 86); if, however, a matching entry is found at the location indicated by the hash key, then it is assumed that the datagram relates to the connection associated with the call record at that location.
  • the process 71 now proceeds to create a new call record 75 in the control block table 67 (step 87) and to update the active record list 68 (step 88).
  • the process 71 enters the connection identifier in the corresponding record field and also fills in the start time and call origin fields (step 89).
  • the start time field is used to hold the time stamp associated with the datagram initiating call record generation.
  • the call origin field of the call record 75 contains an indication as to which end point entity of the connection originated the call.
  • the call origin field of the call record 75 is set to contain an indication that the origin is unknown.
  • the process 71 In generating a new call record 75, the process 71 also enters for each endpoint entity, the physical address, IP address and TCP port number of that entity (step 90).
  • step 91 the end time field of the call record is set to the time stamp of the datagram being processed by process 71 (of course, for a newly-created call record, the end time will correspond to the start time); in addition, the activity flag of the call record is set.
  • step 92 statistics relating to the receiving endpoint entity are updated. In particular, the first sequence number is entered in the call record if not already present, the number of TCP bytes, TCP segments, and IP bytes are updated, the accumulated set of TCP flags is updated, and the last sequence number seen is entered.
  • process 71 After completion of step 92, process 71 returns to checking for an entry to be processed in buffer 66 (step 81).
  • the removal of calls corresponding to connections which have terminated from the group of active call records in control block table 67 is effected by the completion scan process 72.
  • This process 72 is illustrated in flow chart form in Figure 7. More particularly, at periodic time intervals, for example once every three minutes, set by an interrupt timer, the process 72 is started (step 100) and a next-entry pointer is initialised to point to the head of the active call record list 68 (step 101). Thereafter, the list entry pointed to by the next-entry pointer is fetched (step 102) and the next-entry pointer is updated to point to the subsequent list entry, if any. Next, the activity flag of the call record identified by the fetched list entry is examined (step 103).
  • this activity flag is in a reset state this indicates that the call record has not been created or updated since the last running of the completion scan processor 72 (it being recalled that the activity flag is set by process 71 during creation/updating of a call record); these records are taken as relating to completed connections and, accordingly, the process 72 proceeds to remove these records from the active call record group held in table 67 and transfer them to the completed call record archive 69 (step 104). Thereafter, the process 72 updates the active call list 68 by removing the entry corresponding to the transferred call record.
  • step 106 In the event of the activity flag of the call record checked in step 103 being in a set state, it is assumed that the corresponding connection is still active and the call record is left in the control block table 67; however, its activity flag is reset (step 106).
  • step 108 the process 72 checks whether any more entries are present in the list 68 as indicated by the next-entry pointer. If further entries are present, then the process loops back to step 102. However, if all entries in the list have been processed, process 72 restarts the interrupt timer used to time the intervals between successive scans by the process 72 (step 109) and then terminates (step 110).
  • an existing call record is not updated in the period between successive scans, then it will be removed from the active call group held in the control block table 67 during the running of the later of the completion scan process 72.
  • the interval between successive runs of the process 72 is three minutes. However, other intervals are possible although the intervals should be longer than 45 seconds as this is the interval that TCP keep-alive packets are sent on certain types of TCP connection.
  • the choice of interval comes down to a trade-off between using up space in the table 67 for idle/complete connections, the amount of time required to scan the active call group, and the amount of off-line call record fragment reassembly that needs to be done to build up complete call records from previously generated incomplete ones (the process 73 illustrated in Figure 4).
  • the advantages of the above-described process 72 is that it obviates the need to check all datagrams to see if it is the last one to be sent for a particular TCP connection and this reduces the processing time per datagram. Furthermore, the process 72 is still effective even if the datagrams containing the connection close-down sequence are lost.
  • the call-record fragment assembly process 73 is used to reassemble these call record fragments by reference to the code bits noted in the TCP flag field of each call record. More particularly, by using the TCP flag list and the start and end times, the process 73 pieces together call record fragments into a set of complete call records.
  • a call record might be split into three calls and the TCP flag list of each of the call records might be as follows: Record 1 - SYN, ACK, PUSH Record 2 - ACK, PUSH Record 3 - ACK, PUSH, FIN
  • the call record generator and monitoring method can be applied to monitoring of connections other than TCP connections.
  • a filter could be incorporated into the call record generator to filter out certain categories of frames so that, for example, the call record generator only generated records in respect of calls sourced from a particular network node or sub-network.
  • the completion-scan process 72 to use the end time field of each call record to judge whether the corresponding connection is still active. In this case, the contents of the end time field would be compared to the current time as provided by the time stamp timing source. Such an arrangement would obviate the need for an activity flag field.
  • Another possible variant would be to store both the active and completed call records in the same memory and o distinguish the members of each group from each other by an appropriate flag associated with each record. Furthermore, it will be appreciated that it is not essential to use a hash table for accessing the active call records.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)
  • Communication Control (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

A network monitoring method and apparatus (61) is disclosed for monitoring communication connections temporarily established over a network (60) between respective pairs of entities for passing protocol data units therebetween. The connections are, for example, conducted in accordance with the TCP/IP protocol suite. The method involves the steps of monitoring the network to identify the protocol data units and the connection to which each such unit relates, and maintaining an active group (67) of call records each representing a respective connection considered to be currently active. The active group (67) of call records is maintained by adding a new call record to the group each time a protocol data unit is identified as relating to a connection unrepresented in the active group (67); updating an existing call record in the group (67) in response to any further protocol data units being identified as relevant to the connection represented by that record; and removing an existing call record from the active group to a completed-call group (69) when the corresponding connection is judged completed having regard to a continuing absence of further protocol data units relevant to that connection.

Description

TECHNICAL FIELD
The present invention relates to a method and apparatus for monitoring communication connections established over a network and in particular, but not exclusively, to the generation of call records for connections conducted in accordance with the TCP/IP protocols.
BACKGROUND ART
Entities communicating with each other over a data communications network generally do so by the exchange of data packets in accordance with a predetermined protocol. Depending on the particular protocol used, the communication service provided between the entities will generally be either connectionless or connection-oriented. A connectionless service is one in which each packet is handled in isolation from any other packet, the service having no appreciation of whether or not the packet is one of a number of packets that together form a complete message. In contrast, a connection-oriented service will establish a virtual circuit between entities that wish to communicate, in order to provide a reliable stream transport service for the packets passed between the entities, the virtual circuit being closed when the entities have finished communicating with each other; such a communication path established between entities over a virtual circuit is generally referred to as a connection whilst the communication transaction carried out from the setting up to the taking down of a connection is often referred to as a call.
It is well known to provide network monitoring equipment both for the purpose of traffic monitoring and for the purpose of fault analysis. Such monitoring equipment is mostly concerned either with analyzing individual packets or with the aggregate effect of the monitored packets as a whole (for example, for traffic estimation and network planning). US patent specification 5,101,402 discloses a somewhat more sophisticated approach that provides for the collection of statistics on sessions conducted across connections. However, a drawback of the method disclosed in US 5,101,402 is that it must track session protocol interactions in order to ascertain when each session terminates; as a consequence, if the passage of the relevant protocol command terminating a session is missed for any reason (such as noise or packet rerouting), an error condition will result.
European patent application no. 0 478 175 describes a protocol analyzer which monitors a selected communication connection that is being conducted in accordance with a predetermined protocol by the exchange of protocol data units between two entities over a data network. To this end, the analyzer identifies protocol data units relevant to the selected connection, and follows the progress of the selected connection as it receives the relevant protocol data units, to indicate when the sequence of protocol data units diverges from the predetermined protocol.
In a paper entitled Methods for Internet Monitoring, by Charles J. Cotton, 10th Conference on Local Computer Networks, 7-9 Oct 1985, pp. 32-40, a technique is described for monitoring packet traffic on a communications network by collecting statistical data at each of several distributed monitors, and sending those data encapsulated into UDP and IP packets over the network to a central collection host.
It is an object of the present invention to provide a method and apparatus for monitoring calls over a network that is resilient to packet loss.
DISCLOSURE OF THE INVENTION
According to one aspect of the present invention, there is provided a method of monitoring communication connections temporarily established over a network between respective pairs of entities for passing protocol data units therebetween, each protocol data unit passed over the network being provided by the sending entity with associated connection information identifying the connection to which it relates, the method involving the step of monitoring the network to identify said protocol data units and the connection to which each such unit relates, characterized by the step of maintaining an active group of call records each representing a respective said connection considered to be currently active, said maintaining step involving:
  • adding a new call record to said active group each time a said protocol data unit is identified as relating to a connection unrepresented in said active group;
  • updating an existing call record in said active group in response to any further said protocol data units being identified as relevant to the connection represented by that record; and
  • removing an existing said call record from said active group when said connection is judged completed having regard to a continuing absence of further protocol data units relevant to said connection.
Generally, the call records removed from the active group are retained as a completed-call group of records thereby providing a historical record of calls made. Furthermore, each call record will normally record aggregated quantitative information (for example, number of data bytes transferred) for the protocol data units relevant to each direction of data flow between the pair of entities involved in the connection to which the record relates.
The aforesaid associated connection information of each protocol data unit may, for example, comprise the network addresses of each of the entities of the pair of entities associated with the connection to which the protocol data unit relates; in this case, the method preferably includes the step of identifying the connection to which each protocol data unit relates by forming a connection identifier from the network addresses contained in the associated connection information in a manner such that the connection identifier has a form that is independent of the direction of passage of the protocol data unit between the entities, the connection identifier being used in said maintaining step to identify the corresponding call record.
To facilitate the removal of call records from the active group, each call record in the active group is preferably provided with a respective activity indicator which is set when the record is created and when the record is updated. The removal of call records from the active group is then effected by checking the call records of the active group at intervals and each time removing those records whose activity indicators are in a reset state and resetting the activity indicators of the remaining call records.
Where at least some of the protocol data units have associated control codes relevant to the progression of the connections to which they relate, the method preferably includes the steps of identifying these control codes and storing them as part of the associated call record; this then enables call fragments erroneously identified as separate calls, to be subsequently pieced together by scanning the call records of the completed-call group for records relating to connections between the same pair of entities, and determining from the control codes stored in such records whether the records fit together as partial records of the same connection.
Preferably, each call record includes a start-of-call information item set upon creation of that record to indicate a start time of the corresponding connection, and an end-of-call information item which is updated for each protocol data unit subsequently identified as relevant to that record to indicate a potential end time of the corresponding connection. To this end, the step of monitoring the network advantageously involves associating a respective time stamp with each said protocol data unit that is identified in that step; the start-of-call information item of each call record is then set to the time stamp of the protocol data unit causing the call record to be created, and the end-of-call information item of the same record is set in turn to the time stamp of each successive protocol data unit identified as relevant to the connection concerned.
Where at least some of said protocol data units have associated control codes relevant to the establishment of the connections to which they relate, each call record may include the identity of the entity initiating the corresponding connection, the control codes associated with the protocol data unit causing a new call record to be added to the active group serving to indicate which of the two communicating entities involved with a connection initiated the connection.
According to another aspect of the present invention, there is provided apparatus for monitoring communication connections temporarily established over a network between respective pairs of entities for passing protocol data units therebetween, each protocol data unit passed over the network being provided by the sending entity with associated connection information identifying the connection to which it relates, said apparatus comprising monitoring means for monitoring the network to identify said protocol data units and the connection to which each such unit relates, and characterized by call-record means connected to said monitoring means and operative to maintain an active group of call records each representing a respective said connection considered to be currently active, said call-record means comprising:
  • storage means for storing said active group of call records,
  • record-creation means for determining whether the said connection to which each said protocol data unit relates, as identified by said monitoring means, is represented by a said call record in said active group, and where said connection is determined to be unrepresented by a said call record, adding a new call record to said active group;
  • record-updating means for updating an existing call record in said active group in response to any further said protocol data units being identified by said monitoring means as relevant to the connection represented by that record; and
  • record-removal means for removing an existing said call record from said active group when said connection is judged inactive having regard to when the last protocol data unit relevant to said connection was identified.
The method and apparatus of the invention are particularly suited to call record generation where communication is effected using the TCP/IP protocol suite.
BRIEF DESCRIPTION OF THE DRAWINGS
A call record generator embodying the present invention and a network monitoring method in accordance the invention, will now be particularly described, by way of nonlimiting example, with reference to the accompanying diagrammatic drawings, in which:
Figure 1
is a diagram illustrating protocol stacks of two communicating end systems;
Figure 2
is a diagram illustrating the encapsulation of data transmitted between communicating entities in accordance with the TCP/IP protocol suite;
Figure 3
is a diagram illustrating the exchange of control messages between end systems during the opening and closing of a TCP/IP connection;
Figure 4
is a diagram illustrating the main processes and data structures employed in the network monitoring method;
Figure 5
illustrates the contents of a call record constructed during the network monitoring method;
Figure 6
is a flow diagram of a "Process Next Datagram" process illustrated in Figure 4; and
Figure 7
is a flow diagram of a "Completion Scan" process illustrated in Figure 4.
BEST MODE FOR CARRYING OUT THE INVENTION
Figure 1 of the accompanying drawings shows conceptual protocol stacks 1 and 2 operated by two end systems in communicating with each other over a network (12). Each protocol stack 1,2 is made up of a number of different layers each of which performs a particular task in the communication process. Considering by way of explanation, layer N in each protocol stack 1,2, this layer N provides services to the layer above (layer N+1) and in doing so utilizes services provided by the layer below (layer N-1).
Within each layer N a protocol entity 3,4 controls the carrying out of the communication tasks assigned to that layer, this control being effected in coordination with the corresponding protocol entity of the communicating end system. Conceptually the protocol entities 3,4 in the same protocol layer of the communicating end systems communicate and coordinate with each other in accordance with a peer protocol (for layer N this is the layer N protocol shown in Figure 1). The peer protocol defines the form and sequencing of messages passed between the peer protocol entities 3,4 in the form of protocol data units 5,6. Each protocol data unit (PDU) 5,6 contains protocol control information PCI and one or more service data units SDU, the latter being data which the layer N protocol entity is handling on behalf of the layer N+1 above.
Whilst conceptually the peer protocol entities 3,4 are communicating with each other by passing protocol data units directly between themselves, in practice, of course, the protocol data units must pass down one protocol stack, across the network 12 and up the other protocol stack to the relevant layer N. A protocol data unit passed by the protocol entity of layer N down to layer N-1 is treated by that latter layer as a service data unit SDU and handled appropriately.
Such conceptual layering of communication protocol stacks is well known in the art - see, for example, the seven-layer OSI (Open Systems Interconnect) model defined by the International Standards Organization (International Standard ISO7498). It will be appreciated that in practice the protocol stacks are implemented primarily in software, although the lower levels may well be effected using dedicated hardware.
Each peer protocol may be connectionless or connection-oriented in form. If a peer protocol N is connectionless, the associated protocol entities 3, 4 handle each service data unit SDU passed down to them from layer N+1 as an isolated item; in contrast, if a peer protocol N is connection-oriented, the associated protocol entities 3,4 provide a reliable stream transport service for service data units SDUs passed down from the layer N+1. Generally, most of the peer protocols will be connectionless with one or two key peer protocols being connection-oriented.
A protocol entity in layer N may be required to provide a service to a number of different protocol entities in the layer N+1 above. This generally requires that an entity in layer N+1 of a first end system, when sending a protocol data unit PDU to its peer entity in a second end system, provides adequate identification of the destination peer entity to the layer N service - providing entity of the first end system, so that the peer entity in layer N of the second end system can forward the PDU to the appropriate entity in layer N+1.
A protocol entity in, for example, layer N+1 of one end system may also be required to communicate with peer entities in a number of other end systems. In this case, where the layer N protocol is connection-oriented, then, of course, it is inadequate for the layer N protocol entity to keep track of its current connections simply by reference to the identity of the destination layer N+1 entity. Instead, connections are frequently identified by reference to the combination of source and destination entity identities.
The present invention relates to communications between entities, for example in layer N+1, by the transfer of protocol data units using the services of the layer-N protocol entities, where the layer N peer protocol is connection-oriented. In the following description, the well known transmission control protocol TCP is used as an example of a connection-oriented protocol, this protocol being used in conjunction with the Internet Protocol IP.
In TCP/IP networks, TCP-layer entities use pairings of endpoints to identify a connection, where an endpoint is the combination of a parameter (IP address) identifying the end system concerned (or, more accurately, an interface of the end system to the network), and a parameter (TCP port number) indicating the source/destination endpoint entity within the end system with which the TCP protocol entity is to communicate. A fuller explanation of TCP connection identification may be found in a reference work such as "Internetworking with TCP/IP", Douglas E. Comer, Volume 1, Second Edition 1991, Prentice-Hall.
Figure 2 illustrates how a protocol data unit (PDU) 20 is prepared for transmission over a network from an endpoint entity A in one end system to a peer endpoint entity B (not shown) in another end system in accordance with the TCP/IP protocols, it being assumed that an appropriate TCP connection has already been established. As can be seen, the PDU 20 is passed down through three protocol layers (TCP layer 22, IP layer 23, and network interface layer 24) before being sent across the network to the receiving end system. In each layer, an encapsulation process takes place as will be described more fully below; although not illustrated in Figure 2 for reasons of simplicity, a fragmentation process may also occur in one or more layers with the data received by the layer being split up into several units before being passed to the next layer.
As illustrated in Figure 2, the basic protocol data unit of the TCP layer protocol is the TCP segment 25 which comprises a TCP header 26 and a TCP data area 27. The PDU 20 passed down from the endpoint entity A to the TCP layer 22, constitutes a service data unit for the TCP layer 22 and forms the TCP data area 27 of a TCP segment 25. The TCP header 26 contains a number of information fields of which only those relevant to the present invention are illustrated, these being a source port field 28 holding the TCP port number of the endpoint entity A, a destination port field 29 holding the TCP port number of the destination endpoint entity B to which the PDU 20 is being sent, a sequence number field 30 containing a sequence number for the current TCP segment 25 in relation to other such segments for the same connection, an acknowledgement number field 31 for containing the sequence number of the segment next expected from the peer TCP layer 22 in relation to a current connection, and a code field 32 containing various control codes.
Each TCP segment 25 is passed down to the IP layer 23 as a service data unit of that layer. The basic protocol data unit of the IP layer 23 is the IP datagram 35 comprising an IP header 36 and an IP data area 37. The IP data area 37 is occupied by the service data unit received from the TCP layer 22, that is by the TCP segment 25. The fields of the IP header relevant to the present invention are a source IP address field 38 indicating the IP address of the sending end system, and a destination IP address field 39 containing the IP address of the receiving end system. The source and destination IP addresses are made available to the TCP layer 22 to enable the latter to identify connections based on the pairings of IP address and TCP port number for the source and destination endpoint entities.
In practice, there is frequently a one-to-one correspondence between TCP segments and IP datagrams with no fragmentation of TCP segments; for simplicity, such an arrangement is assumed hereinafter.
The network interface layer 24 serves to match the characteristics of the underlying physical transmission network to the higher-level layers. The network interface layer 24 is arranged to receive IP datagrams 35 as service data units. The basic protocol data unit of the network interface layer 24 is a frame 45 which comprises a frame header 46 and a frame data area 47. The frame data area is occupied by the service data unit received from the IP layer 23, that is by the IP datagram 35.
It will be appreciated that in the case illustrated in Figure 2, each frame 45 appearing on the physical network contains the IP address and TCP port number of the source and destination endpoint entities using the services of the TCP layer 22 to communicate with each other, these parameters being sufficient to uniquely identify the TCP connection involved. In practice, each IP datagram may be fragmented across several frames; however, generally the frame carrying the first fragment of an IP datagram will be of sufficient size that this fragment includes not only the datagram header, but also the TCP header of the TCP segment encapsulated in the datagram; this is assumed to be the case for the purposes of the following description.
As already discussed above, the TCP layer 22 provides a connection-oriented communication service to the layer above, that is to the endpoint entity A of Figure 2. The overall progression of a communication between endpoint entities A and B is therefore as follows. Upon the endpoint entity A requesting the services of the TCP layer 22, the latter establishes a connection with the peer TCP layer in the end system containing the endpoint entity B. Once the connection is established, PDUs 20 are passed between the endpoint entity A and its peer entity B until both these entities have finished communicating. Thereafter, the TCP layer closes the connection. Figure 3 illustrates the handshakes involved in establishing and closing down a TCP connection. In this Figure, TCP peer entities in end systems 1 and 2 are considered.
The top half of Figure 3 shows the handshakes involved in opening a TCP connection. In the present example, the TCP layer entity in end system 1 initiates opening of the connection by sending a segment 25 to its peer entity in end system 2 with a SYN bit set in the code bits field 32 of the TCP header 26 (arrow 50). On receiving this segment, the TCP entity in end system 2 responds with the segment in which SYN and ACK bits are set (arrow 51). Successful receipt of this reply by the TCP entity in end system 1 results in a concluding handshake segment being sent from end system 1 to end system 2 in which the ACK bit in the code bits field 32 is set (arrow 52); this serves to inform the end system 2 that both sides have agreed that a connection has been established. During this handshake process, sequence numbers are sent and acknowledged to enable subsequent tracking of segments exchanged during reconnection. These sequence numbers and acknowledgement numbers are contained in fields 30 and 31 of the TCP header 26.
The lower half of Figure 3 illustrates the handshakes involved in closing down a TCP connection. Closing a connection takes place in two stages with the connection first being closed in one direction when the sending TCP entity for that direction has no further data to communicate, and then subsequently in the other direction when the other TCP entity has finished sending data. In the Figure 3 example, it is assumed that the TCP layer entity in end system 1 first wishes to close the connection and to do this it sends a segment 25 in which a FIN bit is set in the code bits field 32 of the TCP header 26 (arrow 53). The receipt of this segment is in due course acknowledged by the TCP entity in end system 2 by the return of a segment with the ACK bit set (arrow 54). The TCP entity in end system 2 then continues to send segments carrying data until no more data remains to be communicated. At that time, the TCP entity in end system 2 sends a segment with the FIN and ACK bits set in the code bits field (arrow 55). Successful receipt of this segment by the TCP entity in end system 1 is acknowledged by a final segment 25 being sent with its ACK bit set (arrow 56).
It will be appreciated that in the course of any connection established between the TCP entities of end systems 1 and 2 there occurs a predetermined pattern of code bits in the code bit field 32 of successive segments as determined by the opening and closing handshakes illustrated in Figure 3.
Figure 4 illustrates the call record generator 61 embodying the present invention, the call record generator 61 being connected to monitor a network 60 in order to provide a record of each TCP connection (or call) temporarily established over the network. As can be seen, the call record generator 61 comprises a network interface unit 62 connected to the network 60 and a processing sub-system 63 including a processor 65 and memory 64. The memory 64 will generally comprise working RAM memory, ROM memory for program storage, and disk memory (these elements are not individually shown in Figure 4 for reasons of clarity).
The network interface unit 62 captures each frame 45 appearing on the network and passes it to the processor sub-system 63 for processing.
As illustrated in Figure 4, the processing sub-system 63 utilizes four main data structures 66-69 and executes four main processes 70-73.
More particularly, upon a frame being passed to the processing sub-system 63, the process 70 is initiated (for example as an interrupt service routine) to extract datagram information from the frame and store the datagram, together with a time stamp, in a buffer constituted by the data structure 66. The stored datagram information will generally only comprise the information of interest, namely the IP header and the header of the encapsulated TCP segment; furthermore, if the datagram has been subject to fragmentation, then only the first fragment, containing the IP header and the header of the encapsulated TCP segment, is processed, all other fragments being discarded.
The process 71 which runs in background continuously monitors the buffer 66 for new entries and whenever one or more entries are present, extracts the head entry for processing. As will be more fully described hereinafter, this processing involves identifying the connection to which the head entry datagram belongs and then updating a corresponding call record for that connection, the call records for active connections being held in a control block table constituted by the data structure 67. If a datagram corresponds to a connection for which no call record exists in the control block table 67, then a new record is created by the process 71. The process 71 also keeps a separate linked list of active call records, this list constituting the data structure 68. Each call record contains statistics on the corresponding TCP connection as will be more fully described hereinafter with reference to Figure 5.
At periodic intervals a completion scan process 72 is run which scans the call records in the control block table 67 and removes any records which have been inactive for a given minimum period (by "inactive " is here meant that the record has not been updated in response to receipt of a further datagram associated with the connection concerned). The process 72 uses the linked list 68 of call records to carry out the scanning of the call records. Any call records identified as inactive by the process 72 are removed to a completed call record archive constituted by the data structure 69 (this archive is, for example, kept in disk storage or held off-line rather than being stored in RAM).
Finally, a call-record fragment assembly process 73 which is an offline process, is used to examine the call records contained in the archive 69 for records which in fact constitutes call record fragments relating to the same connection, as will be explained more fully below.
A fundamental requirement of the overall call record generation process is, of course, that a unique connection identifier can be formed from each captured IP datagram with this identifier being the same regardless of which of the two endpoint entities generated the captured datagram. In the present example, this unique connection identifier, which is generated by the process 71, is formed by the tuple of (IP address, TC port) of each endpoint entity with the numerically greater address plus port number always being placed first. For example, if an IP datagram is captured in which the source IP address is 15.8.61.123 and the source TC port is 123, whilst the destination IP address is 16.8.9.123 and the destination TCP port is 111, then the resulting connection identifier would be ((16.8.9.123,111),(15.8.61.123,123)). More generally, if the endpoint entity A has a four byte IP address made up of bytes aIP1 to aIP4 and a two byte TCP port number made up of bytes aPort1 and aPort2, and the endpoint entity B similarly has a four byte IP address made up of bytes bIP1 to bIP4 and a 2-byte TCP port number made up of bytes bPortl and bPort2, then the connection identifier will be:
   ( [aIP1.aIP2.aIP3.aIP4], [aPort1.aPort2])
   ( [bIP1.bIP2.bIP3.bIP4], [bPort1.bPort2] )
   where (aIP.aPort > bIP.bPort)
This connection identifier is, as already noted above, generated by the process 71. In fact, the connection identifier is not used directly to access the corresponding call record in the control block table 67 as, instead a hash key is created from the connection identifier and used to hash into the control block table 67. In the present embodiment the hash key used is:
   (aIP4, bPort2, aPort2, bIP4)
The contents of each call record are illustrated in Figure 5. As can be seen each call record includes a first group of fields containing the connection identifier for the connection to which the call record relates, a start time field corresponding to the time stamp associated by the process 70 with the IP datagram giving rise to the generation of the call record, an end time field corresponding to the time stamp associated with the most recently received datagram used to update the call record 75, a call origin field containing an indication of which endpoint entity initiated the connection, and an activity flag field used in the determination of whether or not the record is still active. In addition to these general fields, each call record 75 includes two groups of fields 77,78 relating to the statistics of the call in each of the two directions. Thus, in relation to endpoint entity A, the call record 75 includes fields containing the physical address of A (this information is extracted from each frame received by the call record generator and stored along with the datagram information by the process 70), the IP address and TCP port number of endpoint entity A, the total number of TCP bytes sent to endpoint A, the total number of TCP segments sent to endpoint A, the total number of IP bytes sent to endpoint A, a cumulative set of all TCP flags sent to A, the first sequence number sent to A and the last sequence number sent to A. Corresponding fields are present in the record 75 for the endpoint entity B.
The reason sequence numbers are collected is to validate the total number of TC bytes sent in a particular direction. For any given direction, the second sequence number minus the first sequence number will give an approximate indication of the total number of TCP bytes sent in that direction; this indication is only approximate because there are cases, namely ACK segments, where no TCP data is present but the sequence number is incremented by 1. The set of all TCP flags seen is collected to facilitate call record fragment reassembly carried out by process 73.
A more detailed description regarding the generation and updating of call records by process 71 will now be given with reference to the flow diagram illustrated in Figure 6. Once initiated, the process 71 continually checks the buffer 66 (step 81) until it detects that a datagram with its associated time stamp has been entered into the buffer. Thereupon the process 71 retrieves the head entry from the buffer 66 (step 82) and constructs the connection identifier for the head entry datagram (step 83). The process 71 also constructs the corresponding hash key for the connection (step 84) and then attempts to access the control block table 67 using this hash key (step 85). An open hashing technique is used, that is, collision resolution is achieved by maintaining separate overflow areas for each entry in the hash table 67. If no entry is found at the location indicated by the hash key, then it is assumed that the datagram being processed relates to a new connection (step 86); if, however, a matching entry is found at the location indicated by the hash key, then it is assumed that the datagram relates to the connection associated with the call record at that location.
Considering first the situation where a new connection is assumed, the process 71 now proceeds to create a new call record 75 in the control block table 67 (step 87) and to update the active record list 68 (step 88). In creating the new call record, the process 71 enters the connection identifier in the corresponding record field and also fills in the start time and call origin fields (step 89). As already noted, the start time field, is used to hold the time stamp associated with the datagram initiating call record generation. The call origin field of the call record 75 contains an indication as to which end point entity of the connection originated the call. This information is inferred from the TCP code bits in the datagram initiating call record generation, it being appreciated that this first datagram will generally be one involved in the establishment of the TCP connection concerned so that the code bits in the TCP header will follow the sequence illustrated in the top half of Figure 3. In particular, there are three main cases to consider:
  • 1. The TCP code bits contain only a SYN which implies that this is the first datagram for the connection so that the connection origin is the endpoint entity identified by the source address in the datagram;
  • 2. The TCP code bits contain both a SYN and an ACK thereby indicating that the datagram relates to a response to a connection request so that the originating entity for the connection is the one identified by the datagram's destination address;
  • 3. The code bit flags do not contain a SYN; this indicates that the connection establishment phase has been missed.
  • In the last of the three cases, the call origin field of the call record 75 is set to contain an indication that the origin is unknown.
    In generating a new call record 75, the process 71 also enters for each endpoint entity, the physical address, IP address and TCP port number of that entity (step 90).
    Further entries in a call record 75 are made by the process 71 in steps 91 and 92, these entries being made both for a newly created call record and for a call record corresponding to an existing connection. In step 91, the end time field of the call record is set to the time stamp of the datagram being processed by process 71 (of course, for a newly-created call record, the end time will correspond to the start time); in addition, the activity flag of the call record is set. In step 92, statistics relating to the receiving endpoint entity are updated. In particular, the first sequence number is entered in the call record if not already present, the number of TCP bytes, TCP segments, and IP bytes are updated, the accumulated set of TCP flags is updated, and the last sequence number seen is entered.
    After completion of step 92, process 71 returns to checking for an entry to be processed in buffer 66 (step 81).
    In this manner the process 71 builds up a record of each call conducted over the network.
    The removal of calls corresponding to connections which have terminated from the group of active call records in control block table 67 is effected by the completion scan process 72. This process 72 is illustrated in flow chart form in Figure 7. More particularly, at periodic time intervals, for example once every three minutes, set by an interrupt timer, the process 72 is started (step 100) and a next-entry pointer is initialised to point to the head of the active call record list 68 (step 101). Thereafter, the list entry pointed to by the next-entry pointer is fetched (step 102) and the next-entry pointer is updated to point to the subsequent list entry, if any. Next, the activity flag of the call record identified by the fetched list entry is examined (step 103). If this activity flag is in a reset state this indicates that the call record has not been created or updated since the last running of the completion scan processor 72 (it being recalled that the activity flag is set by process 71 during creation/updating of a call record); these records are taken as relating to completed connections and, accordingly, the process 72 proceeds to remove these records from the active call record group held in table 67 and transfer them to the completed call record archive 69 (step 104). Thereafter, the process 72 updates the active call list 68 by removing the entry corresponding to the transferred call record.
    In the event of the activity flag of the call record checked in step 103 being in a set state, it is assumed that the corresponding connection is still active and the call record is left in the control block table 67; however, its activity flag is reset (step 106).
    After the completion of step 105 or 106 as appropriate, the process 72 proceeds to step 108 in which it checks whether any more entries are present in the list 68 as indicated by the next-entry pointer. If further entries are present, then the process loops back to step 102. However, if all entries in the list have been processed, process 72 restarts the interrupt timer used to time the intervals between successive scans by the process 72 (step 109) and then terminates (step 110).
    It will be appreciated that if an existing call record is not updated in the period between successive scans, then it will be removed from the active call group held in the control block table 67 during the running of the later of the completion scan process 72. In the present example, the interval between successive runs of the process 72 is three minutes. However, other intervals are possible although the intervals should be longer than 45 seconds as this is the interval that TCP keep-alive packets are sent on certain types of TCP connection. The choice of interval comes down to a trade-off between using up space in the table 67 for idle/complete connections, the amount of time required to scan the active call group, and the amount of off-line call record fragment reassembly that needs to be done to build up complete call records from previously generated incomplete ones (the process 73 illustrated in Figure 4). The advantages of the above-described process 72 is that it obviates the need to check all datagrams to see if it is the last one to be sent for a particular TCP connection and this reduces the processing time per datagram. Furthermore, the process 72 is still effective even if the datagrams containing the connection close-down sequence are lost.
    Of course, if a connection should be idle longer than the interval between successive runnings of the completion-scan process 72, the corresponding call record will be removed from the table 67 before the connection is complete. The remainder of the connection transaction will then be logged as a separate connection with its own call record being created. As a consequence, a number of partially complete call records between the same endpoint entities may be generated. However, the call-record fragment assembly process 73 is used to reassemble these call record fragments by reference to the code bits noted in the TCP flag field of each call record. More particularly, by using the TCP flag list and the start and end times, the process 73 pieces together call record fragments into a set of complete call records. For example, a call record might be split into three calls and the TCP flag list of each of the call records might be as follows:
       Record 1 - SYN, ACK, PUSH
       Record 2 - ACK, PUSH
       Record 3 - ACK, PUSH, FIN
    Given that a normal call should have a flag list containing a SYN, ACK, and FIN (see Figure 3) and generally also PUSH, then it is fairly certain that the above three call records are for the same connection (assuming that the start and finish times match appropriately). This process,does not, of course, guarantee that every call fragment will be picked up successfully, but the majority will.
    It will be appreciated that many variations are possible to the above-call record generator and monitoring method. In particular, it will be appreciated that the call record generator and monitoring method can be applied to monitoring of connections other than TCP connections. Furthermore, a filter could be incorporated into the call record generator to filter out certain categories of frames so that, for example, the call record generator only generated records in respect of calls sourced from a particular network node or sub-network. With regard to the detailed implementation of the call record generator, one possible variant would be for the completion-scan process 72 to use the end time field of each call record to judge whether the corresponding connection is still active. In this case, the contents of the end time field would be compared to the current time as provided by the time stamp timing source. Such an arrangement would obviate the need for an activity flag field. Another possible variant would be to store both the active and completed call records in the same memory and o distinguish the members of each group from each other by an appropriate flag associated with each record. Furthermore, it will be appreciated that it is not essential to use a hash table for accessing the active call records.

    Claims (12)

    1. A method of monitoring communication connections temporarily established over a network (60) between respective pairs of entities for passing protocol data units therebetween, each protocol data unit passed over the network being provided by the sending entity with associated connection information identifying the connection to which it relates, the method involving the step of monitoring (70) the network to identify said protocol data units and the connection to which each such unit relates, characterized by the step of maintaining (71) an active group (67) of call records (75) each representing a respective said connection considered to be currently active, said maintaining step involving:
      adding (87) a new call record to said active group each time a said protocol data unit is identified as relating to a connection unrepresented in said active group;
      updating (91,92) an existing call record in said active group in response to any further said protocol data units being identified as relevant to the connection represented by that record; and
      removing (104) an existing said call record from said active group when said connection is judged completed having regard to a continuing absence of further protocol data units relevant to said connection.
    2. A method according to claim 1, wherein each call record (75) in said active group (67) is provided with a respective activity indicator which is set (91) when the record is created and when the record is updated, the removal of call records from said active group being effected by checking (103) the call records of the active group at intervals and each time removing (104) those records whose activity indicators are in a reset state and resetting (106) the activity indicators of the other records.
    3. A method according to claim 1 or claim 2, wherein the said call records removed from said active group are retained as a completed-call group (69) of records.
    4. A method according to claim 3, wherein at least some of said protocol data units have associated control codes relevant to the progression of the connections to which they relate, including the step of identifying said control codes associated with said protocol data units, and said maintaining step (71) further involving, for each said call record (75) of said active group, storing (92) as part of that record the said control codes relevant to the connection represented by said record; said method further involving the step of scanning (73) the call records of said completed-call group for records relating to connections between the same said pair of entities, and determining from the said control codes stored in such records whether the records constitute partial records of the same connection in which event said records are combined.
    5. A method according to claim 1, wherein each said call record (75) of said active group (67) includes a start-of-call information item set (89) upon creation of that record to indicate a start time of the corresponding connection, and an end-of-call information item which is updated (91) for each protocol data unit subsequently identified as relevant to that record to indicate a potential end time of the corresponding connection.
    6. A method according to claim 5, wherein said step of monitoring (70) the network includes associating a respective time stamp with each said protocol data unit that is identified in that step; said start-of-call information item of each said call record being set (89) to the time stamp of the protocol data unit causing the call record to be created, and the end-of-call information item of the same record being set (91) in turn to the time stamp of each successive protocol data unit identified as relevant to the connection represented by that record.
    7. A method according to claim I, wherein at least some of said protocol data units have associated control codes relevant to the establishment of the connections to which they relate, including the step of identifying said control codes associated with said protocol data units, and said maintaining step (71) further involving, for each said call record (75) added to said active group (67), determining from the said control codes relevant to the connection represented by that record, which entity of said pair of entities associated with that connection initiated the connection, the identity of the initiating entity being stored (89) in said call record.
    8. A method according to claim 1, including the step of determining for each identified said protocol data unit, both quantitative information related to that protocol data unit, and in which direction the unit is being passed between the said pair of entities associated with the said connection to which the protocol data unit relates; said maintaining step (71) being such that each said call record (75) contains respective aggregated said quantitative information for the protocol data units relevant to each said direction between said pair of entities.
    9. A method according to claim 1, wherein said associated connection information of each protocol data unit comprises the network addresses of each of the entities of said pair of entities associated with the connection to which the protocol data unit relates, including the step of identifying the said connection to which each said protocol data unit relates by forming (83) a connection identifier from the network addresses contained in said associated connection information in a manner such that said connection identifier has a form that is independent of the direction of passage of the protocol data unit between said entities, said connection identifier being used in said maintaining step (71) to identify the corresponding said call record (75).
    10. A method according to claim 9, wherein said maintaining step (71) involves storing the said call records (75) of said active group (67) in a hash table with the call record relevant to a particular said protocol data unit being accessed in said hash table by use of a hash key formed from the said connection identifier associated with that protocol data unit.
    11. A method according to any one of the preceding claims, wherein said connections are conducted in accordance with the TCP/IP protocol suite.
    12. Apparatus for monitoring communication connections temporarily established over a network (60) between respective pairs of entities for passing protocol data units therebetween, each protocol data unit passed over the network being provided by the sending entity with associated connection information identifying the connection to which it relates, said apparatus comprising monitoring means (70) for monitoring the network to identify said protocol data units and the connection to which each such unit relates, and characterized by call-record means (67,71) connected to said monitoring means and operative to maintain an active group (67) of call records (75) each representing a respective said connection considered to be currently active, said call-record means comprising:
      storage means (67) for storing said active group of call records,
      record-creation means for determining (86) whether the said connection to which each said protocol data unit relates, as identified by said monitoring means, is represented by a said call record in said active group, and where said connection is determined to be unrepresented by a said call record, adding (87) a new call record to said active group;
      record-updating means for updating (91,92) an existing call record in said active group in response to any further said protocol data units being identified by said monitoring means as relevant to the connection represented by that record; and
      record-removal means for removing (104) an existing said call record from said active group when said connection is judged completed having regard to a continuing absence of further protocol data units relevant to said connection.
    EP92913152A 1992-06-17 1992-06-17 Network monitoring method and apparatus Expired - Lifetime EP0598739B1 (en)

    Applications Claiming Priority (1)

    Application Number Priority Date Filing Date Title
    PCT/GB1992/001090 WO1993026111A1 (en) 1992-06-17 1992-06-17 Network monitoring method and apparatus

    Publications (2)

    Publication Number Publication Date
    EP0598739A1 EP0598739A1 (en) 1994-06-01
    EP0598739B1 true EP0598739B1 (en) 1998-07-29

    Family

    ID=10708834

    Family Applications (1)

    Application Number Title Priority Date Filing Date
    EP92913152A Expired - Lifetime EP0598739B1 (en) 1992-06-17 1992-06-17 Network monitoring method and apparatus

    Country Status (5)

    Country Link
    US (1) US5430709A (en)
    EP (1) EP0598739B1 (en)
    JP (1) JP3290438B2 (en)
    DE (1) DE69226436T2 (en)
    WO (1) WO1993026111A1 (en)

    Families Citing this family (95)

    * Cited by examiner, † Cited by third party
    Publication number Priority date Publication date Assignee Title
    US5491808A (en) * 1992-09-30 1996-02-13 Conner Peripherals, Inc. Method for tracking memory allocation in network file server
    US5862335A (en) * 1993-04-01 1999-01-19 Intel Corp. Method and apparatus for monitoring file transfers and logical connections in a computer network
    US5634009A (en) * 1993-10-01 1997-05-27 3Com Corporation Network data collection method and apparatus
    AU706160B2 (en) * 1994-06-08 1999-06-10 Hughes Electronics Corporation Apparatus and method for hybrid network access
    US6701370B1 (en) * 1994-06-08 2004-03-02 Hughes Electronics Corporation Network system with TCP/IP protocol spoofing
    US5546390A (en) * 1994-12-29 1996-08-13 Storage Technology Corporation Method and apparatus for radix decision packet processing
    US5566170A (en) * 1994-12-29 1996-10-15 Storage Technology Corporation Method and apparatus for accelerated packet forwarding
    US5598410A (en) * 1994-12-29 1997-01-28 Storage Technology Corporation Method and apparatus for accelerated packet processing
    US5781449A (en) 1995-08-10 1998-07-14 Advanced System Technologies, Inc. Response time measurement apparatus and method
    US6226678B1 (en) 1995-09-25 2001-05-01 Netspeak Corporation Method and apparatus for dynamically defining data communication utilities
    US6185184B1 (en) 1995-09-25 2001-02-06 Netspeak Corporation Directory server for providing dynamically assigned network protocol addresses
    US6108704A (en) * 1995-09-25 2000-08-22 Netspeak Corporation Point-to-point internet protocol
    US6009469A (en) * 1995-09-25 1999-12-28 Netspeak Corporation Graphic user interface for internet telephony application
    FI101581B (en) * 1995-11-07 1998-07-15 Nokia Telecommunications Oy Adaptation of protocols in the fixed network without signaling support to mobile networks
    US6052371A (en) * 1996-03-14 2000-04-18 Telefonaktiebolaget L M Ericsson (Publ) System and method for the communication of operation and maintenance, administration and provisioning information over an asynchronous transfer mode network
    US6205143B1 (en) 1996-03-14 2001-03-20 Telefonaktiebolaget L M Ericsson System supporting variable bandwidth asynchronous transfer mode network access for wireline and wireless communications
    US5826018A (en) * 1996-04-02 1998-10-20 Hewlett-Packard Company Method and appparatus for automatically determining the starting location and starting protocol of LAN data in a WAN link frame
    US5949786A (en) * 1996-08-15 1999-09-07 3Com Corporation Stochastic circuit identification in a multi-protocol network switch
    US5774531A (en) * 1996-08-21 1998-06-30 Mci Communications Corporation Telecommunications system and method for automatic call processing according foregoing inbound and outbound calls to arbitrary delegates
    JPH10136055A (en) * 1996-10-24 1998-05-22 Ando Electric Co Ltd Debugging support device
    US6035418A (en) * 1996-12-13 2000-03-07 International Business Machines Corporation System and method for improving resource utilization in a TCP/IP connection management system
    US6714976B1 (en) 1997-03-20 2004-03-30 Concord Communications, Inc. Systems and methods for monitoring distributed applications using diagnostic information
    US6212175B1 (en) * 1997-04-22 2001-04-03 Telxon Corporation Method to sustain TCP connection
    US9098297B2 (en) * 1997-05-08 2015-08-04 Nvidia Corporation Hardware accelerator for an object-oriented programming language
    US5978849A (en) * 1997-06-13 1999-11-02 International Business Machines Corporation Systems, methods, and computer program products for establishing TCP connections using information from closed TCP connections in time-wait state
    JPH11112561A (en) * 1997-09-30 1999-04-23 Sony Corp Communication method and communication equipment
    US6246670B1 (en) 1997-10-16 2001-06-12 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for preventing misrouting of data in a radio communication system
    US6560198B1 (en) * 1997-11-07 2003-05-06 Telcordia Technologies, Inc. Method and system for stabilized random early detection using packet sampling
    US6434116B1 (en) * 1997-11-07 2002-08-13 Telcordia Technologies, Inc. Method and system for stabilized random early detection using connection sampling
    US6061341A (en) * 1997-12-16 2000-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Use of transmission control protocol proxy within packet data service transmissions in a mobile network
    EP0948164A1 (en) 1998-04-01 1999-10-06 Hewlett-Packard Company Generating telephony service detail records
    EP0948163A1 (en) * 1998-04-01 1999-10-06 Hewlett-Packard Company Generating telephony service detail records
    EP1672836A1 (en) * 1998-04-01 2006-06-21 Agilent Technologies, Inc., A Delaware Corporation Generating service detail records with quality of service data
    US6205122B1 (en) * 1998-07-21 2001-03-20 Mercury Interactive Corporation Automatic network topology analysis
    JP2002522957A (en) * 1998-08-03 2002-07-23 ファーストセンス ソフトウェア インコーポレイテッド System and method for monitoring a distributed application using diagnostic information
    US6477571B1 (en) 1998-08-11 2002-11-05 Computer Associates Think, Inc. Transaction recognition and prediction using regular expressions
    US6871229B2 (en) * 1998-08-26 2005-03-22 Sts Software Systems Ltd. Method for storing on a computer network a portion of a communication session between a packet source and a packet destination
    US6122665A (en) * 1998-08-26 2000-09-19 Sts Software System Ltd. Communication management system for computer network-based telephones
    US7216348B1 (en) 1999-01-05 2007-05-08 Net2Phone, Inc. Method and apparatus for dynamically balancing call flow workloads in a telecommunications system
    US6934255B1 (en) 1999-02-02 2005-08-23 Packeteer, Inc. Internet over satellite apparatus
    US6751663B1 (en) 1999-03-25 2004-06-15 Nortel Networks Limited System wide flow aggregation process for aggregating network activity records
    US7167860B1 (en) 1999-03-25 2007-01-23 Nortel Networks Limited Fault tolerance for network accounting architecture
    CA2301999A1 (en) * 1999-03-25 2000-09-25 Nortel Networks Corporation Network accounting architecture
    US7243143B1 (en) 1999-03-25 2007-07-10 Nortel Networks Limited Flow probe connectivity determination
    US20020091636A1 (en) * 1999-03-25 2002-07-11 Nortel Networks Corporation Capturing quality of service
    EP1172017A1 (en) * 1999-04-03 2002-01-16 Top Layer Networks, Inc. Switching system and process for automatic detection of and quality of service for multimedia applications
    DE60034329T2 (en) 1999-04-05 2007-12-20 Tekelec, Calabasas METHOD AND SYSTEM FOR CONDUCTING SIGNALING MESSAGES ASSIGNED TO PORTUGED PARTICIPANTS IN A COMMUNICATION NETWORK
    ATE495500T1 (en) * 1999-06-30 2011-01-15 Apptitude Inc METHOD AND DEVICE FOR MONITORING TRAFFIC IN A NETWORK
    US6789116B1 (en) * 1999-06-30 2004-09-07 Hi/Fn, Inc. State processor for pattern matching in a network monitor device
    US6771646B1 (en) 1999-06-30 2004-08-03 Hi/Fn, Inc. Associative cache structure for lookups and updates of flow records in a network monitor
    US7187662B1 (en) 1999-08-11 2007-03-06 Klingman Edwin E Table driven call distribution system for local and remote agents
    US7263558B1 (en) 1999-09-15 2007-08-28 Narus, Inc. Method and apparatus for providing additional information in response to an application server request
    FR2803707B1 (en) * 2000-01-06 2005-05-20 Wandel & Goltermann Cts PROTOCOL ANALYSIS DEVICE AND METHOD FOR COMMUNICATION NETWORK, CORRESPONDING COMPUTER PROGRAM MEMBER
    US7075926B2 (en) * 2000-05-24 2006-07-11 Alcatel Internetworking, Inc. (Pe) Programmable packet processor with flow resolution logic
    US7117239B1 (en) 2000-07-28 2006-10-03 Axeda Corporation Reporting the state of an apparatus to a remote computer
    US8108543B2 (en) 2000-09-22 2012-01-31 Axeda Corporation Retrieving data from a server
    US7185014B1 (en) 2000-09-22 2007-02-27 Axeda Corporation Retrieving data from a server
    US7533174B1 (en) * 2000-09-29 2009-05-12 Nortel Networks Limited Media gateway connection information recovery
    US6904020B1 (en) * 2000-11-01 2005-06-07 Agilent Technologies, Inc. System and method for monitoring communication networks using data stream characterization
    US7970886B1 (en) * 2000-11-02 2011-06-28 Arbor Networks, Inc. Detecting and preventing undesirable network traffic from being sourced out of a network domain
    US7454614B2 (en) * 2001-03-29 2008-11-18 Microsoft Corporation Method and apparatus for fault tolerant TCP handshaking
    US20030033430A1 (en) * 2001-07-20 2003-02-13 Lau Chi Leung IP flow discovery for IP probe auto-configuration and SLA monitoring
    US7254601B2 (en) 2001-12-20 2007-08-07 Questra Corporation Method and apparatus for managing intelligent assets in a distributed environment
    EP1351445A1 (en) * 2002-03-20 2003-10-08 BRITISH TELECOMMUNICATIONS public limited company Method and apparatus for mapping data traffic flows to application sessions
    EP1355479B1 (en) * 2002-04-15 2005-08-10 Agilent Technologies, Inc. - a Delaware corporation - An apparatus and method for processing information from a telecommunications network
    US7178149B2 (en) 2002-04-17 2007-02-13 Axeda Corporation XML scripting of soap commands
    US7343398B1 (en) 2002-09-04 2008-03-11 Packeteer, Inc. Methods, apparatuses and systems for transparently intermediating network traffic over connection-based authentication protocols
    US7966418B2 (en) 2003-02-21 2011-06-21 Axeda Corporation Establishing a virtual tunnel between two computer programs
    US20040205183A1 (en) * 2003-03-10 2004-10-14 Sandvine Incorporated Method and system for avoiding tracking communication connection state until accepted
    US7764670B2 (en) * 2003-07-29 2010-07-27 Level 3 Communications, Llc System and method for monitoring communications in a network
    US9591468B2 (en) 2003-07-29 2017-03-07 Level 3 Communications, Llc System and method for monitoring communications in a network
    US7231024B2 (en) * 2004-06-18 2007-06-12 Tekelec Methods, systems, and computer program products for selecting or generating a single call detail record (CDR) from a plurality of CDRs associated with a call having a plurality of legs
    US7603459B2 (en) * 2004-09-14 2009-10-13 International Business Machines Corporation System, method and program to troubleshoot a distributed computer system or determine application data flows
    US7660883B2 (en) * 2005-07-01 2010-02-09 Devicescape Software, Inc. Network monitoring device
    US8370479B2 (en) 2006-10-03 2013-02-05 Axeda Acquisition Corporation System and method for dynamically grouping devices based on present device conditions
    US8065397B2 (en) 2006-12-26 2011-11-22 Axeda Acquisition Corporation Managing configurations of distributed devices
    US8606222B2 (en) 2006-12-28 2013-12-10 Tekelec Global, Inc. Methods, systems, and computer program products for performing prepaid account balance screening
    US8213440B2 (en) * 2007-02-21 2012-07-03 Tekelec Global, Inc. Methods, systems, and computer program products for using a location routing number based query and response mechanism to route calls to IP multimedia subsystem (IMS) subscribers
    US8730970B2 (en) * 2007-02-23 2014-05-20 Tekelec Global, Inc. Methods systems, and computer program products for providing voicemail routing information in a network that provides customized voicemail services
    US9379898B2 (en) 2007-05-04 2016-06-28 Tekelec, Inc. Methods, systems, and computer program products for providing billing and usage data to downstream applications
    US8478861B2 (en) 2007-07-06 2013-07-02 Axeda Acquisition Corp. Managing distributed devices with limited connectivity
    US8645527B1 (en) 2007-07-25 2014-02-04 Xangati, Inc. Network monitoring using bounded memory data structures
    US9961094B1 (en) * 2007-07-25 2018-05-01 Xangati, Inc Symptom detection using behavior probability density, network monitoring of multiple observation value types, and network monitoring using orthogonal profiling dimensions
    US8639797B1 (en) 2007-08-03 2014-01-28 Xangati, Inc. Network monitoring of behavior probability density
    US9584959B2 (en) * 2008-11-24 2017-02-28 Tekelec Global, Inc. Systems, methods, and computer readable media for location-sensitive called-party number translation in a telecommunications network
    US9712341B2 (en) 2009-01-16 2017-07-18 Tekelec, Inc. Methods, systems, and computer readable media for providing E.164 number mapping (ENUM) translation at a bearer independent call control (BICC) and/or session intiation protocol (SIP) router
    US9219677B2 (en) 2009-01-16 2015-12-22 Tekelec Global, Inc. Methods, systems, and computer readable media for centralized routing and call instance code management for bearer independent call control (BICC) signaling messages
    US10992555B2 (en) 2009-05-29 2021-04-27 Virtual Instruments Worldwide, Inc. Recording, replay, and sharing of live network monitoring views
    US9319318B2 (en) 2010-03-15 2016-04-19 Tekelec, Inc. Methods, systems, and computer readable media for performing PCRF-based user information pass through
    US8903974B2 (en) 2010-10-05 2014-12-02 Tekelec, Inc. Methods, systems, and computer readable media for user controlled policy sharing
    US9332036B2 (en) 2010-10-15 2016-05-03 Tekelec, Inc. Methods, systems, and computer readable media for providing user receptivity driven policy in a communications network
    US8620263B2 (en) 2010-10-20 2013-12-31 Tekelec, Inc. Methods, systems, and computer readable media for diameter routing agent (DRA) based credit status triggered policy control
    US8681622B2 (en) 2010-12-17 2014-03-25 Tekelec, Inc. Policy and charging rules function (PCRF) and performance intelligence center (PIC) based congestion control
    US9203728B2 (en) * 2011-03-09 2015-12-01 lxia Metadata capture for testing TCP connections
    US8996670B2 (en) 2011-08-05 2015-03-31 Tekelec, Inc. Methods, systems, and computer readable media for network metadata based policy control

    Family Cites Families (6)

    * Cited by examiner, † Cited by third party
    Publication number Priority date Publication date Assignee Title
    US4788721A (en) * 1987-12-09 1988-11-29 Bell Communications Research, Inc. Routing of network traffic
    US5101402A (en) * 1988-05-24 1992-03-31 Digital Equipment Corporation Apparatus and method for realtime monitoring of network sessions in a local area network
    JP2865675B2 (en) * 1988-09-12 1999-03-08 株式会社日立製作所 Communication network control method
    GB9015760D0 (en) * 1990-07-18 1990-09-05 Digital Equipment Int Message network monitoring
    EP0478175B1 (en) * 1990-09-13 1995-11-22 Hewlett-Packard Company A protocol analyzer
    US5231593A (en) * 1991-01-11 1993-07-27 Hewlett-Packard Company Maintaining historical lan traffic statistics

    Also Published As

    Publication number Publication date
    JPH06509927A (en) 1994-11-02
    US5430709A (en) 1995-07-04
    DE69226436D1 (en) 1998-09-03
    EP0598739A1 (en) 1994-06-01
    DE69226436T2 (en) 1998-12-03
    JP3290438B2 (en) 2002-06-10
    WO1993026111A1 (en) 1993-12-23

    Similar Documents

    Publication Publication Date Title
    EP0598739B1 (en) Network monitoring method and apparatus
    US6940821B1 (en) Method and apparatus for detecting a fault in a multicast routing infrastructure
    CN100514921C (en) Network flow abnormal detecting method and system
    US20060280121A1 (en) Frame-transfer control device, DoS-attack preventing device, and DoS-attack preventing system
    US7355971B2 (en) Determining packet size in networking
    US7453905B2 (en) Mobile node, mobile agent and network system
    US8326916B2 (en) Relay method, relay apparatus, and computer product
    JPH1127308A (en) Link monitor method having provision for internet
    US20060020705A1 (en) Managing and checking socket connections
    Hinden et al. The DARPA Internet: interconnecting heterogeneous computer networks with gateways
    JP2005521337A (en) Application program interface
    Mogul Network locality at the scale of processes
    CN107623752B (en) Network management method and device based on link layer
    US11055166B2 (en) Covertly storing a payload of data within a network
    US7440473B2 (en) Apparatus and method for compressing a header of a packet
    CN113114643B (en) Operation and maintenance access method and system of operation and maintenance auditing system
    JP3892322B2 (en) Unauthorized access route analysis system and unauthorized access route analysis method
    JP3961415B2 (en) Protocol defect automatic detection method and protocol defect automatic detection device
    US20060288102A1 (en) Method and system for improved management of a communication network by extending the Simple Network Management Protocol
    JP3465183B2 (en) Network monitoring method
    JPH07321783A (en) Network monitor equipment
    JP2002026927A (en) Capsulating method and unit, and program recording medium
    JP3487551B2 (en) Monitor device, monitor method, and recording medium
    CN117729054B (en) VPN flow identification method and system based on full flow storage
    JP3763140B2 (en) Error transmission method, error transmission program and error transmission system in SNMP protocol

    Legal Events

    Date Code Title Description
    PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

    Free format text: ORIGINAL CODE: 0009012

    17P Request for examination filed

    Effective date: 19940218

    AK Designated contracting states

    Kind code of ref document: A1

    Designated state(s): DE FR GB

    R17P Request for examination filed (corrected)

    Effective date: 19940128

    17Q First examination report despatched

    Effective date: 19970116

    GRAG Despatch of communication of intention to grant

    Free format text: ORIGINAL CODE: EPIDOS AGRA

    GRAG Despatch of communication of intention to grant

    Free format text: ORIGINAL CODE: EPIDOS AGRA

    GRAH Despatch of communication of intention to grant a patent

    Free format text: ORIGINAL CODE: EPIDOS IGRA

    GRAH Despatch of communication of intention to grant a patent

    Free format text: ORIGINAL CODE: EPIDOS IGRA

    GRAA (expected) grant

    Free format text: ORIGINAL CODE: 0009210

    AK Designated contracting states

    Kind code of ref document: B1

    Designated state(s): DE FR GB

    REF Corresponds to:

    Ref document number: 69226436

    Country of ref document: DE

    Date of ref document: 19980903

    ET Fr: translation filed
    PLBE No opposition filed within time limit

    Free format text: ORIGINAL CODE: 0009261

    STAA Information on the status of an ep patent application or granted ep patent

    Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

    26N No opposition filed
    REG Reference to a national code

    Ref country code: GB

    Ref legal event code: 732E

    REG Reference to a national code

    Ref country code: FR

    Ref legal event code: TP

    REG Reference to a national code

    Ref country code: FR

    Ref legal event code: TP

    REG Reference to a national code

    Ref country code: GB

    Ref legal event code: IF02

    PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

    Ref country code: FR

    Payment date: 20050617

    Year of fee payment: 14

    PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

    Ref country code: DE

    Payment date: 20050801

    Year of fee payment: 14

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: DE

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20070103

    REG Reference to a national code

    Ref country code: FR

    Ref legal event code: ST

    Effective date: 20070228

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: FR

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20060630

    PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

    Ref country code: GB

    Payment date: 20090617

    Year of fee payment: 18

    GBPC Gb: european patent ceased through non-payment of renewal fee

    Effective date: 20100617

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: GB

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20100617